Rosen­thal, Per­so­nal Data wit­hout Iden­ti­fia­bi­li­ty?, dig­ma 4/2017

David Rosen­thal, in the just published issue 4/2017 of the dig­ma [Swiss­lex] wro­te an essay on the topic of “sin­gu­la­rizati­on”, i.e. on the que­sti­on of whe­ther it is suf­fi­ci­ent for the iden­ti­fia­bi­li­ty of a per­son if this per­son can­not be iden­ti­fi­ed but can be distin­gu­is­hed from all other per­sons by a uni­que date. This que­sti­on is in the light of all of Art. 4 No. 1 GDPR, accor­ding to which any infor­ma­ti­on is con­side­red to be a “per­so­nal data” which

in par­ti­cu­lar by means of Assign­ment to an iden­ti­fier such as […] an iden­ti­fi­ca­ti­on num­ber […] or to one or more par­ti­cu­lar cha­rac­te­ri­stics expres­sing the […] identity […].

Reci­tal 26 sta­tes in this regard that, in asses­sing the refe­rence to persons

alle Mittel berücksichtigt werden [shall], die von dem Verantwortlichen […] wahrscheinlich genutzt werden, um die natürliche Person direkt oder indirekt zu identifizieren, such as the sort­ing out.

The­r­e­fo­re, the que­sti­on ari­ses whe­ther sing­ling out – i.e., sin­gu­la­ri­zing – is suf­fi­ci­ent for estab­li­shing the per­son refe­rence. Rosen­thal comes to the fol­lo­wing conclusion:

The con­cept of per­so­nal data has not chan­ged with the GDPR. The “rela­ti­ve” approach still applies, which is based on whe­ther or not the per­son who has access to cer­tain data can iden­ti­fy the per­sons affec­ted by it. This also applies in the EU, whe­re the ECJ recent­ly con­firm­ed this with its decis­i­on regar­ding IP addres­ses. The con­cept of “sin­gu­la­rizati­on” does not chan­ge this. A data record sin­gu­la­ri­zes a per­son if, like a fin­ger­print, it is so spe­ci­fic that it can only refer to him or her, even if it is not known who is invol­ved. Such as with gene­tic data. The GDPR men­ti­ons sin­gu­la­rizati­on as an indi­ca­ti­on of iden­ti­fia­bi­li­ty, but it alo­ne is not suf­fi­ci­ent. For this pur­po­se, the artic­le pres­ents the “Refe­rence data test”: Accor­ding to this, per­so­nal data exists if the­re is a con­nec­tion bet­ween the a match can be made bet­ween the data in que­sti­on and data records of a sin­gle, real per­son alre­a­dy available or acce­s­si­ble to the pro­ces­sor. Gene­tic data and IP addres­ses are the­r­e­fo­re never per se per­so­nal data.




Rela­ted articles